USMetrics

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill mandates a background curl command to http://localhost:8888/notify upon invocation. This is used for local voice notifications and targets the local machine only.
  • [EXTERNAL_DOWNLOADS]: Data is fetched from well-known and trusted official sources including the Federal Reserve (FRED API), the Energy Information Administration (EIA API), and the U.S. Treasury (FiscalData API). These are documented and expected for the skill's purpose.
  • [PROMPT_INJECTION]: The skill includes a feature to load customizations from ~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/USMetrics/. While intended for user preferences, this is an indirect prompt injection surface as it allows external files to override agent instructions.
  • [SAFE]: The skill uses environment variables for API key management and performs file operations within its own project scope, following security best practices for local agent tools.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — USMetrics